DoD Enforces NIST Qualifier on End-of-Year Contract Actions

By: Jill Lawson

Historically, at the end of the Department of Defense’s (DoD’s) fiscal year (FY) each September, acquisition professionals re-align planned budgets to expend expiring funds or to increase execution rates. Some DoD Contractors have realized higher payments and/or additional payments. Previously, no contract clause existed to qualify for contract modifications or renewals.

Now, for the first time, contractors' eligibility for end-of-year (EOY) increased or new contract payments have a reporting condition, the Suppliers Performance Risk System (SPRS) score, per 16 June Acquisition and Sustainment (A&S) memo: “Contract Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012.”

A&S informed Contracting Officers (KOs) that there are two remedies available for contractors that do not have a current SPRS score. These remedies do not allow contract modifications, nor option years, which could prevent companies from receiving EOY additional or larger payments.

DFARS 252.204.7020: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Requirements mandates the SPRS score. Contractors must create a System Security Plan (SSP), score it using the DoD Scoring Methodology and post the summary score to SPRS. If that score is under 110, a Plan of Action and Milestones (POAM) -- with a completion date of when the 110 will be achieved -- must also be uploaded to SPRS. The DoD scoring methodology paragraph 5.g states if a SSP does not exist, one cannot score, period.

In October of 2021, the Department of Justice (DOJ) established the new Civil Cyber-Fraud Initiative. (DOJ Notice 21-971) to enforce defense cybersecurity standards. It is now risky to post information to SPRS that is not accurate.

To Conform or Not to Conform to NIST

The decision challenge is: Does one create an SSP on the system that is not qualified to transit CUI as mandated by DFARS 252.204.7012, or does one purchase a compliance solution and then self-assess? Only company leadership can make that decision based upon understanding the consequences and organizational impacts of both scenarios.

For instance, initiating purchases and migration will produce a higher score, and produce an accurate and attainable POAM. However, if that is not feasible then the only other option is creating an SSP on systems that do not meet existing contractual obligations. There is an inherent risk with option two because that acknowledges non-conformity. Each company is unique, and each contract is unique. Managing the SPRS requirement to qualify for end-of-year funding is important, not just for EOY but also for October forward.

To assist with impacting challenges like this, contact your provider to discuss available business and technical solutions.